U.S. Technology Marketplace:

Opportunities & Pitfalls for

Selling to the Southerners

Canadian Technology Forum David Z. Bodenheimer

June 10, 2009 Crowell & Moring LLP

© 2009 Crowell & Moring LLP

2

• Federal Information Downpour

• Cybersecurity Tidal Wave

• Homeland Security Blizzard

• Healthcare Technology Scorcher

The Technology Forecast

3

U.S. Federal IT Marketplace

800-Pound Information Gorilla

“The Federal government is the largestsingle producer, collector, consumer, anddisseminator of information in the UnitedStates and perhaps the world.” (OMB, 2007)

US IT Budgets

• $72.9 billion – (FY O9)

• $75.8 billion – (FY 10)

4

US Federal Information

Information Treasure Trove

• National Security

• Personal Data

• Infrastructure Data

• Technology

• Trade Secrets

5

US Federal Cybersecurity

Information Security Spending

• $14.6 Billion– (FY 09)

• $25.5 Billion– (FY 13)

• $30-40 Billion– (Next 5 Years)

6

US Homeland Security

Homeland SecurityPriorities & Dollars

• 6% FY10 over FY09

• $7.5 Billion (12% )– Transportation Security

• $918 Million (15% )– Critical Infrastructure– Electrical Grid– Financial Sector

• $127 Million (30% )– Inspector General

DHS Budget (FY10)

7

US Healthcare Technology

Heathcare TechnologyPriorities & Dollars

• Top Presidential Priority

• Health Information Technologyfor Economic & Clinical Health(HITECH, Title XIII, ARRA)

• $31 Billion Infrastructure &Health Information Technology

• $19 Billion Health IT

• 33% in VeteransAdministration IT Budget

Computerizing America’s health Recordsin five years. The current, paper-based medicalrecords system that relies on patients’ memoryand reporting of their medical history is prone toerror, time-consuming, costly, and wasteful. Withrigorous privacy standards in place to protectsensitive medical records, we will embark on aneffort to computerize all Americans’ health recordsin five years. This effort will help prevent medicalerrors, and improve health care quality, andis a necessary step in starting to modernize theAmerican health care system and reduce healthcare costs.

Homeland Security

Technology

© 2009 Crowell & Moring LLP

9

Security Technology

Technology Is The Key

“Technology is critical.”(Undersecretary Asa Hutchinson, March 12, 2003)

“Getting the best technology [and] havingit interoperable.”(Sen. Ted Kennedy, March 12, 2003)

“Force multiplying nature of technology.”(Sen. Jon Kyl, March 12, 2003)

10

Information Sharing

Daunting Challenges

DHS InformationManagement

Geography7,500 miles land border95,000 miles sea border

Multiple Agencies

Federal/State/Local80,000 law enforcementofficers @ 2,500 sites

• $$$ billions $$$• Multi-year projections• Interoperability• Schedule Pressures

Complexity

11

Security Technology

Opportunities

• No Technology Limits– Data Mining & Analysis– Biometrics & ID– Threat Sensors

• No Boundaries– Federal, State, Local– International

• Dual-Use Technologies– Public/Private

• Instant Demand– Ready-to-go Technology

And Challenges

• Product Differentiation– Multiple Solutions– Little Effectiveness Proof– No Central Data Bank

• Customer Fragmentation– No Single Entry Point– Export Restrictions

• Private-Use Barriers– National Security

• No Development Funds– Short-term Horizon

12

Liability Protection

SAFETY Act

“Support Anti-terrorismby Fostering EffectiveTechnologies Act of2002.”

• Homeland Security Act– Subtitle G, § § 861-865

• Enacted Nov. 25, 2002

13

Liability Protections

Why Get SAFETY Act Approval?

• Exclusive Federal Jurisdiction

• Damages Limitations

– No punitive damages

– No pre-judgment interest

– Limits on “noneconomic damages”

– Offset for Collateral Source Recovery

• Liability Cap – Insurance Coverage

• Government Contractor Defense

US Privacy &

Technology

© 2009 Crowell & Moring LLP

15

US Privacy Laws

Privacy Patchwork

“There is no comprehensivefederal statute that protects theprivacy of personal informationheld by the public sector.Instead, federal law tends toemploy a sectoral approach to theregulation of personalinformation.”

(Congressional Research Service,Privacy, Mar. 2003)

Privacy by Sector

• Financial Institutions– Gramm-Leach-Bliley Act

• Health Care Industry– HIPAA

• Educational Records– Family Educational Rights Act

• Telecom Industry– Telecommunications Act

16

Privacy

Privacy Wars

“I want to remind you ofthe lay of the privacylandscape – or perhapsit is better called abattlefield. On thatbattlefield, the worldhas become a moredangerous place.”

*Jennifer Stoddart (PrivacyCommissioner of Canada)

15

17

Privacy Technology Targets

Technology Targets

• ID & Biometrics

• RFID

• Intelligence Data Mining

• Commercial Data

Privacy Battlefield

National ID Badges

Skimming

Misuse Potential

No Redress or Access

18

Privacy Weapons

Battlefield Weapons

• Merger Opposition

– NSA Surveillance Program

• Union Challenges

– Outsourcing Protests

• Lawsuits

– $50 Billion Class Action

19

Privacy Casualties

Battlefield Casualties

• MATRIX Program– State & Local Law

Enforcement Data Mining

• CAPPS II + Secure Flight– TSA Passenger Screening

• Total InformationAwareness– DARPA Data Mining

20

Privacy Casualties

Total InformationAwareness (TIA)

• Data Mining

• Commercial Data

• Not Address Privacy

• Funding Terminatedby Congress

21

Privacy Protection

Public Law 108-90

• Data Accuracy & Testing

• Redress Process

• Privacy Oversight

– Internal

– External

• Security Controls

• Operational Safeguards

• No Technological Privacy

Concerns

Fair Info Practices

1. Collection Limitations

2. Data Quality

3. Purpose Specification

4. Use Limitations

5. Security Safeguards

6. Openness

7. Individual Notice & Redress

8. Accountability

Technology Flux &

Requirements Definition

© 2009 Crowell & Moring LLP

23

Technology Risks

President’s HelicopterNavy Cancels Contract forPresidential Chopper*

“The Navy on Monday moved toformally terminate its $13billion contract . . . for a newpresidential helicopter. Somelawmakers plan to continue theirefforts to extend funding for theprogram, which has already costsome $3 billion.”

*AIA Daily Lead (June 2, 2009)

Wall Street Journal (June 2, 2009)

24

Technology Maturity

Requirements Definition

• Weapon Systems AcquisitionReform Act of 2009

– Pub. L. No. 111-23 (May ‘09)

• Technological MaturityAssessment

• Trade-offs between cost,schedule, & performance

• Critical cost growth

25

Technology Risks

Requirements Definition (or not)

• “For the ACE program, weaknesses inrequirements definition were a major reason forrecent problems and delays”

• “For US-VISIT, test plans were incomplete”

• “Secure Flight’s requirements were not welldeveloped” (GAO, 3/29/06)

26

Technology Risks

From Honeymoon to Divorce

• Wedding (8/2/02): TSA selects “vendor for the TSAInformation Technology Managed Services” (DHS PressRelease)

• Honeymoon (5/11/04): “TSA’s $1 billion IT ManagedServices contract … is being hailed as one of the largestperformance-based IT contracts.” (Seminar Presentationdescription)

• Divorce (2/06): DHS IG “recommended that TSAterminate the current contract at the end of the baseperiod and re-bid the contract.” (OIG-06-23 Report)

27

Technology Risks

Changes: “continually changingand increasing InformationTechnology (IT)requirements”

Undefined Requirements.“TSA did not know exactlywhat its IT requirementswould encompass”

Unauthorized Work: “TSAagreed to pay $15 million [outof $40 million requested] forthe unauthorized work”

*DHS IG Report OIG-06-23 (2/06)

Cardinal Change: Air-A-PlaneCorp. v. US (Ct. Cl.) (over 1000changes fundamentally alteredcontract)

No Baseline: *InfotecDevelopment Inc., ASBCA(Government liability for delay inestablishing baseline)

Implied Contract: “Even though acontract be … not authorized . .. , it is only fair and just that theGovernment pay for goodsdelivered or services renderedand accepted under it.” Prestex,Inc. v. U.S. (Ct. Cl.)

28

Acquisition Management

DHS IG Report (OIG-06-23)

• “[Vendor] may have realizedadditional profit by billinguncompensated labor hours thatwere not reflected in the proposedbase labor rates used to build upthe ITOP II rates.”

• “The ITOP II fully burdened rateswere not representative of theactual performance of the …contract because [Vendor] usedentirely different subcontractorsand fewer subcontract labor hoursthan initially proposed for the ITOPII rates.”

DOD IG Handbook

• FRAUD INDICATORS

• Professional staff required to work asignificant amount of unpaidovertime on a variety of projects-bothdirect and indirect.

• Encouraging employees to worksignificant unpaid overtime but to notrecord the hours in direct conflictwith company policy.

• A significant variance betweenproposed and negotiated vendor/subcontract prices.

• Contractor using higher courtesybids to support proposal ornegotiations knowing that lower bidsare or will be available. Courtesybids also increase the lowest bid.

29

Acquisition Management

Self Protection – Define Requirements

• Proposal: State expectations

• Contract: Define the requirements (whodefines & when!)

• Disputes: File a claim

*Infotec Development Inc., ASBCA (Governmentliability for delay in establishing baseline)

30

Acquisition Management

Do a Requirements Inventory

• Performance Standards TBD?– Environmental conditions Location?

– Reliability/Durability/Operability How long?

• Interface Control Documents What interface?

• Test Requirement Documents When?

• Interoperability & Standardization What equipment?

• Inspection Standards Commercial?

• Government-Furnished– Property or Information When?

– Agency Control What agency?

Information Security

Opportunities & Risks

© 2009 Crowell & Moring LLP

32

Cybersecurity

Cyber Threats

• 3600% increase (since 1997)

• Cyber Crime = Top Problem (FBI)

• “Electronic Pearl Harbor”

• “Hackers for Hire” + Terrorists

33

262 Million Breaches

No One Remains to Have an ID Stolen

“2008 Data Breach Total Soars: 47% Increase over2007” Identity Theft News (Identity Theft Daily, Jan. 5, 2009)

Records with sensitive personal information involved insecurity breaches in the U.S. since January 2005:

262,424,592 records (Privacy Rights Clearinghouse, June 4, 2009)

127 million records compromised in 2007 alone

– 600% increase over 2006 (Identity Theft Resource Center)

34

Cyber-Crime > $100 Billion

Hacking is More Lucrative than Doping

INTERNET LAW – “Cyber-Crime Hits $100 Billion in 2007,

Out-earning Illegal Drug Trade” (IBLS Internet Law, Oct. 15, 2007)

>

“$1 trillion globally in lost intellectualproperty and expenditures for repairingthe damage” (House Homeland SecurityCommittee Hearing, Mar. 31, 2009)

35

Everyone’s On-Board

DNI, DHS & Industry Agree“Cybersecurity Near Top of DNI Concerns,”

(Federal News Radio, Jan. 26, 2009)

“Third area that’s on our agenda for [2008] is cyber security”

(Secretary Chertoff, DHS Press Release, Dec. 12, 2007)

“DHS Puts Cybersecurity Toward Top of 2008 To-Do List”

(Federal Computer Week, Dec. 13, 2007)

“Data Breach Likely to be Hot Topic at Porn Summit”

(Technology Daily, Jan. 14, 2008)

XXX

36

Information Security Law

The Law

• FISMA (44 USC § 3541-49)

– Information security for federal agencies

• Federal Acquisition Regulation (FAR)– Flows security requirements to contractors

– Leaves details to agencies (NASA rules)

• OMB & NIST Rules– Standards referenced in FAR

37

Information Security Law

Scope of FISMA

• Federal Information Security Mgmt. Act

– 44 USC § 3541-49

• Broad Scope

– Information collected/maintained for agency

– Information system used/operated by agency

– Information system of agency contractor

• Commensurate with Risk/Harm

38

Information Security Laws

FISMA Requirements:Contractor Coverage

“information collected or maintained. . . on behalf of an agency”

“information collected or maintained. . . by a contractor of an agency”

“information and informationsystems that support the operationsand assets of the agency, includingthose provided or managed byanother agency, contractor, orother source”

44 U.S.C. §§ 3544(a)(1), (b)

FAR Requirements:Contractor Coverage

“Section 301 of FISMA (44 U.S.C. 3544requires that contractors be heldaccountable to the same securitystandards as Government employeeswhen collecting or maintaining informationor using or operating information systemson behalf of an agency.”

“The law requires that contractors andFederal employees be subjected to thesame requirements in accessingFederal IT systems and data.”

(70 Fed. Reg. 57451 (Sept. 2005))

39

Information Security Laws

OMB (whitehouse.gov/omb)

OMB Circular A-130, TransmittalMemorandum #4, Management ofFederal Information Resources(Nov. 28, 2000)

OMB Memo M-08-09,New FISMA Privacy ReportingRequirements for FY 2008 (Jan. 18,2008)

OMB Memo M-07-16,Safeguarding Against andResponding to the Breach ofPersonally Identifiable Information(May 22, 2007)

NIST (csrc.nist.gov)

SP 800-53 A Guide for Assessing the SecurityControls in Federal Information Systems (July2008)

SP 800-53 Rev. 3 DRAFT RecommendedSecurity Controls for Federal Information Systemsand Organizations (Feb. 5, 2009)

SP 800-61 Rev. Computer Security IncidentHandling Guide (Mar. 2008)

SP 800-83 Guide to Malware Incident Preventionand Handling (Nov. 2005)

SP 800-100 Information Security Handbook: AGuide for Managers (Oct. 2006)

SP 800-122 DRAFT Guide to Protecting theConfidentiality of Personally IdentifiableInformation (PII) (Jan. 13, 2009)

40

Information Security Laws

NIST Security Program

• Establishing SecurityObjectives

– Integrity

– Confidentiality

– Availability

• Identifying Security Needs– Requirements identification– Risk assessment– Cost-effectiveness assessment– Appropriate level of security– Life-cycle security

NIST Security (cont.)

• Implementing the SecurityProgram– Policies & procedures– Security controls– Configuration controls– Continuity of operations

• Ensuring Compliance– Training– Periodic testing & evaluation– Accountability– Security incident detection &

reporting– Remedial actions

41

Cybersecurity

Security Program

• Risk Assessment + Life-Cycle Plan

• Policies & Procedures

• Security Controls

• Incident Management

• Monitoring & Oversight

• Accountability

42

Cybersecurity

How Cyber Breaches Hurt Companies

• Reputation & Business Loss

• Congressional Investigations

• Criminal & Civil Penalties

• Suspension & Non-Responsibility

• Contract Breach & Torts

43

Cyber Breaches

Major Risk Area

• Bad Press

• Bad Business

• Boycotts

Monster Hackers Also HitUSAJobs.gov (Aug. 31, 2007)

“It now appears thatMonster.com knew about abreach of its systems almost amonth before Symantec toldMonster of a massive phishingoperation targeting Monster.comusers. That long of a lag is"inexcusable," said W. DavidStephenson, a homeland securityand corporate crisis managementconsultant, "after the legacy ofpast problems."

44

Cyber Breaches

Congressional Focus

• Hearings

• GAO Reviews

• Legislative Risks

45

Cyber Breaches

Criminal & Civil Penalties

• Criminal Sanctions

• Civil Penalties

• State Actions

Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)

“criminal investigation”

“fraudulent statement”

46

Cyber Breaches

Contractual Risks

• Contract Breach

• Nonresponsibility

• Debarment

• Past Performance

Wednesday, February 15, 2006

Firm Fired by Ohiofor Lax PrivacyProtectionPursuing OutsourcedIRS Tax CollectionWork

47

Questions?

David Z. Bodenheimer

Crowell & Moring LLP

dbodenheimer@crowell.com

(202) 624-2713

8147497